CRITICAL🇵🇱 Wersja polska

CVE-2024-9644

CVSS 9.8v3.1pub. 2025-02-04upd. 2025-09-19

The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities.

🤖 AI Analysis
How it works

The router's web application requires authentication for the standard 'apply.cgi' endpoint, but does not enforce it for the alternative 'bapply.cgi' endpoint, which provides some of the same administrative functionality. An attacker can direct requests directly to 'bapply.cgi', completely bypassing the access control mechanism (CWE-306 – Missing Authentication for Critical Function, CWE-489 – Active Residual Developer/Diagnostic Endpoint). The vulnerability is exploitable remotely over the network without requiring an account or user interaction.

Impact

An attacker can modify router settings without authentication, and can combine this vulnerability with other flaws requiring prior authentication, potentially gaining full control of the device, intercepting network traffic, or disrupting network availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until updates are deployed, it is recommended to restrict access to the administrative panel only to trusted IP addresses (e.g., via firewall or ACL) and isolate devices in a dedicated network segment.

Who is affected

Four-Faith F3x36 router with firmware version v2.0.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Four Faith F3x36

    HW
    Four-Faith
    wszystkie wersje
  • Four Faith F3x36 Firmware

    OS
    Four-Faith
    2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-9643CRITICAL9.8PL ✓ten sam produkt

Auth Bypass przez zakodowane dane logowania w routerze Four-Faith F3x36

CVE-2024-12856HIGH7.2ten sam produkt

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulner...

CVE-2023-3805HIGH7.3ten sam vendor

A vulnerability, which was classified as critical, has been found in Xiamen Four Letter Video Surveillance Man...

CVE-2019-12168HIGH7.2ten sam vendor

Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Ad...

CVE-2025-11018MEDIUM5.5ten sam vendor

A flaw has been found in Four-Faith Water Conservancy Informatization Platform 1.0. This affects an unknown fu...